Trackmageddon: critical vulnerabilities in GPS tracking systems

Researchers Vangelis Stykas and Michael Gruhn have disclosed Trackmageddon, a series of vulnerabilities that affect servers that host data from up to 103 online GPS and location services. According to Gruhn, about 6 million devices that offer these functions, such as car locators, pet locators, etc. would be affected.

The vulnerabilities would allow a malicious user to get hold of the database of said services, thus obtaining information from other users, such as location data, model and type of device used, IMEI numbers, telephone numbers, names of contacts, images and audio recordings. According to the CSO digital magazine, in the case of the www.gps958.com service, it would also be possible to access the history of locations, to send commands to the device and to activate or deactivate geolocation without any authentication.

Researchers indicate that, currently, only few affected manufacturers have corrected their domains, so most of them still vulnerable.